diff --git a/docs/google-oidc-provider.md b/docs/OIDC-Provider-Examples/google-oidc-provider.md similarity index 100% rename from docs/google-oidc-provider.md rename to docs/OIDC-Provider-Examples/google-oidc-provider.md diff --git a/docs/OIDC-Provider-Examples/microsoft-oidc-provider.md b/docs/OIDC-Provider-Examples/microsoft-oidc-provider.md new file mode 100644 index 00000000000..09733014733 --- /dev/null +++ b/docs/OIDC-Provider-Examples/microsoft-oidc-provider.md @@ -0,0 +1,44 @@ +# Registering your Microsoft Entra (former Azure) as external OIDC provider in UAA + +You can use your Microsoft account to be setup as an [OIDC provider](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc) for +UAA login. In order to prevent storing a client secret in UAA configuration, either register the external OIDC provider with a public client or use +X509 [certificate credentials](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials). +Prerequisit is the setup OIDC version 2.0. You have to know your tenant ID. Then you know your issuer using +link https://login.microsoftonline.com/{tenant}/v2.0/. Your discovery URL is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration. + +1. Create a new aplication in your App registrations in your directory. After creation you see in Overview section the client_id, which is needed. +2. Configure in Authentication section and configured there a Web Redirect URI for your UAA setup. In addition it is recommended to add your +UAA/logout.do as Front-channel logout URL, so that you also get SLO for your browser flows. + + Add following URI in redirect URL: + + `http://{UAA_HOST}/login/callback/{origin}`. [Additional documentation for achieving this can be found here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/1ae324ee3b2d4a728650eb022d5fd910.html). + +3. In section Certificates and serets it is reommended to store your X509. You can get it from your UAA/token_keys from property x5c. + +4. Minimal OIDC configuration needs to be added in login.yml. Read configuration refer to '[https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc)' for discoveryUrl and issuer + + login: + oauth: + providers: + microsoft: + type: oidc1.0 + discoveryUrl: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration + issuer: https://login.microsoftonline.com/{tenant}/v2.0 + scopes: + - openid + - email + - profile + attributeMappings: + user_name: email + linkText: Login with Microsoft + showLinkText: true + relyingPartyId: 3feb7ecb-d106-4432-b335-aca2689ad123 + jwtclientAuthentication: true + +5. Ensure that the scope `openid`, `email` and `profile` is included in the`scopes` property. Then UAA shadow user (if addShadowUserOnLogin=true) is +created with most important properties like first and last name and the email. The UAA user name can be defined with a +custom configuration as pointed out in the example. If the user_name mapping is not set, it will be an opaque id always. +If you want use another attribute from your directory, define the claim in token configuration and map it here. + +6. Restart UAA. You will see `Login with Microsoft` link on your login page. diff --git a/docs/okta-public-oidc-provider.md b/docs/OIDC-Provider-Examples/okta-public-oidc-provider.md similarity index 100% rename from docs/okta-public-oidc-provider.md rename to docs/OIDC-Provider-Examples/okta-public-oidc-provider.md diff --git a/docs/sap-public-oidc-provider.md b/docs/OIDC-Provider-Examples/sap-public-oidc-provider.md similarity index 100% rename from docs/sap-public-oidc-provider.md rename to docs/OIDC-Provider-Examples/sap-public-oidc-provider.md diff --git a/scripts/cargo/uaa.yml b/scripts/cargo/uaa.yml index 9219d171c8e..2855e412e39 100644 --- a/scripts/cargo/uaa.yml +++ b/scripts/cargo/uaa.yml @@ -18,36 +18,63 @@ LOGIN_SECRET: loginsecret jwt: token: - signing-alg: RS256 - signing-key: | - -----BEGIN PRIVATE KEY----- - MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCowKUlfOfJxXZt - DWkVs3xb4BZJiGlLYxUAaGRY2WbG/YjHT/6frOOK+N2jFyrtElHiRXJyhV4PTsOJ - YSVhKdAt15A+AoBwGLCKVHfRTLINMpyoNBDmuQKDY42XBXRoyyDvgppd5exXrncB - KzcVgS25LVoP8Nvn4XJcXweQejzHLX01SeqwNZCeHUeGSXKfG7a29bR/DagMTWnA - 2X5YsRU+2VykK1/hVK/4ZrC0GIjrGZiwYEwL3Db0RIcWo/DQ1IJGGXIl/qsME0f/ - vrqbMr+8TMDivMZMERSoPFOD/wmlGGH0PeqWNKyaoK2lCiWg4BpQoKpIlv+Eo+yl - 77uv1xibAgMBAAECggEADtC4jwJ/MDuZ6pGtvKSBEgKp7wzyJZa00ZzYo0sVSi1L - 58FSDiW15Zqn84YSR2iY1l//eY0HVYCDC6aDC07W9cQoaArjLzQ6GslQqm6GOtqX - +CJ3q2Uc+RKkuL7XWgEfZDexb4+PwNQfb/OIOgCZCY1kP0sHm3BNEIDQheXD1gtq - 8KTOBy/TtN7rV940LoudgQ8vzz+ShhmG7Dt5yws/QzaBpryLncGsGYZSDnvvEBYY - dlbYQEgfLmzdKSDKW3DNV+duaBDeArxZViD7EqPpQxIOawBvl5bs6Radz7OEGZ7k - hTr2fYU4JGn4WJl61yJg4Xm6pp9cJmi+BIgwLrvXNQKBgQDTPjZ6jCPXAfY6WRVD - +hTKgrdhMzNALuiZeyWNSKiiDKgtx1A8OhUAgGzY/PeqmDabiVWKtso+EazfMwa+ - BrScf+HEZFUvNJ5tGxe6nEEFCx0n5ELUM/L4SWCtD6eFCNYcAY1XvzPD1F3KzewE - vw8FbT34fef+YayuIF3PPODtJwKBgQDMgcEnXARRzsIC7i1ggqSU8N0OUSu+rA/h - Md9Uh9HsY18p8JtNezAQ2vV4RL3R/CUPGXeDvCBYWhXlkNmjdCAsk24DZHs2Q18x - TeHZ15PUtmd2tH/tAxANDi6RTTjpQI3w2poXHl2ZVuT8M+XkTv0WzI0c8TNog2RA - SzHd5z5JbQKBgQCDlvim5E+bKzywYjfuDYYQFNeZNCTT8aSxn1XoKf/qWooVYlin - ++KDWnzzurmpSoKR5z4jV/SqL6aJr6aej1zJNJx2E65A5r1d6AejFp0mQCMca4P5 - 3paXdlZD2EGZjMSb05extojPj6YRpK9G0aHQ1plJB12SSFQicEUfyKOw9wKBgD09 - ScLoih6ZRH2uJwZ0eKZlLj0AT5IsYiD0V0Uv2svnwfKEK21bSzxw5Prb0t/TmqFX - 5fMb3a+3YkE5TALnXk8a4uG/MCpCqHnSMaSTKqCS8o6YZIpr1V2jdoxqTHWEsDyE - qYnsvOiTHcTsIZZplN5D6KnXDKbqWZXrLoadnYhNAoGACESLgCy552WcM7vNt4Fw - 7lR/O3gEnwD41gIx5EGa/UoA08Q+i7sBt9PkL4oQrJ/MYCcVNnmg9KrJdlqF4AlE - HYeZSkMuQDYHcaO9xtYP3QdhD+nLXbNrCxaSSaSX8tS4BjdcSH1yMyLFg5OqiJYg - wYFiptyKFm5QqFhFTY+20aE= - -----END PRIVATE KEY----- + policy: + activeKeyId: key-1 + keys: + key-1: + signingAlg: RS256 + signingKey: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCowKUlfOfJxXZt + DWkVs3xb4BZJiGlLYxUAaGRY2WbG/YjHT/6frOOK+N2jFyrtElHiRXJyhV4PTsOJ + YSVhKdAt15A+AoBwGLCKVHfRTLINMpyoNBDmuQKDY42XBXRoyyDvgppd5exXrncB + KzcVgS25LVoP8Nvn4XJcXweQejzHLX01SeqwNZCeHUeGSXKfG7a29bR/DagMTWnA + 2X5YsRU+2VykK1/hVK/4ZrC0GIjrGZiwYEwL3Db0RIcWo/DQ1IJGGXIl/qsME0f/ + vrqbMr+8TMDivMZMERSoPFOD/wmlGGH0PeqWNKyaoK2lCiWg4BpQoKpIlv+Eo+yl + 77uv1xibAgMBAAECggEADtC4jwJ/MDuZ6pGtvKSBEgKp7wzyJZa00ZzYo0sVSi1L + 58FSDiW15Zqn84YSR2iY1l//eY0HVYCDC6aDC07W9cQoaArjLzQ6GslQqm6GOtqX + +CJ3q2Uc+RKkuL7XWgEfZDexb4+PwNQfb/OIOgCZCY1kP0sHm3BNEIDQheXD1gtq + 8KTOBy/TtN7rV940LoudgQ8vzz+ShhmG7Dt5yws/QzaBpryLncGsGYZSDnvvEBYY + dlbYQEgfLmzdKSDKW3DNV+duaBDeArxZViD7EqPpQxIOawBvl5bs6Radz7OEGZ7k + hTr2fYU4JGn4WJl61yJg4Xm6pp9cJmi+BIgwLrvXNQKBgQDTPjZ6jCPXAfY6WRVD + +hTKgrdhMzNALuiZeyWNSKiiDKgtx1A8OhUAgGzY/PeqmDabiVWKtso+EazfMwa+ + BrScf+HEZFUvNJ5tGxe6nEEFCx0n5ELUM/L4SWCtD6eFCNYcAY1XvzPD1F3KzewE + vw8FbT34fef+YayuIF3PPODtJwKBgQDMgcEnXARRzsIC7i1ggqSU8N0OUSu+rA/h + Md9Uh9HsY18p8JtNezAQ2vV4RL3R/CUPGXeDvCBYWhXlkNmjdCAsk24DZHs2Q18x + TeHZ15PUtmd2tH/tAxANDi6RTTjpQI3w2poXHl2ZVuT8M+XkTv0WzI0c8TNog2RA + SzHd5z5JbQKBgQCDlvim5E+bKzywYjfuDYYQFNeZNCTT8aSxn1XoKf/qWooVYlin + ++KDWnzzurmpSoKR5z4jV/SqL6aJr6aej1zJNJx2E65A5r1d6AejFp0mQCMca4P5 + 3paXdlZD2EGZjMSb05extojPj6YRpK9G0aHQ1plJB12SSFQicEUfyKOw9wKBgD09 + ScLoih6ZRH2uJwZ0eKZlLj0AT5IsYiD0V0Uv2svnwfKEK21bSzxw5Prb0t/TmqFX + 5fMb3a+3YkE5TALnXk8a4uG/MCpCqHnSMaSTKqCS8o6YZIpr1V2jdoxqTHWEsDyE + qYnsvOiTHcTsIZZplN5D6KnXDKbqWZXrLoadnYhNAoGACESLgCy552WcM7vNt4Fw + 7lR/O3gEnwD41gIx5EGa/UoA08Q+i7sBt9PkL4oQrJ/MYCcVNnmg9KrJdlqF4AlE + HYeZSkMuQDYHcaO9xtYP3QdhD+nLXbNrCxaSSaSX8tS4BjdcSH1yMyLFg5OqiJYg + wYFiptyKFm5QqFhFTY+20aE= + -----END PRIVATE KEY----- + signingCert: + -----BEGIN CERTIFICATE----- + MIIDkzCCAnugAwIBAgIUIpCM7WELyJfpc7xZ3lfoNr87i04wDQYJKoZIhvcNAQEL + BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4X + DTIzMTEwMjA5MDAwM1oXDTMzMTAzMDA5MDAwM1owWTELMAkGA1UEBhMCVVMxEzAR + BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 + IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A + MIIBCgKCAQEAqMClJXznycV2bQ1pFbN8W+AWSYhpS2MVAGhkWNlmxv2Ix0/+n6zj + ivjdoxcq7RJR4kVycoVeD07DiWElYSnQLdeQPgKAcBiwilR30UyyDTKcqDQQ5rkC + g2ONlwV0aMsg74KaXeXsV653ASs3FYEtuS1aD/Db5+FyXF8HkHo8xy19NUnqsDWQ + nh1Hhklynxu2tvW0fw2oDE1pwNl+WLEVPtlcpCtf4VSv+GawtBiI6xmYsGBMC9w2 + 9ESHFqPw0NSCRhlyJf6rDBNH/766mzK/vEzA4rzGTBEUqDxTg/8JpRhh9D3qljSs + mqCtpQoloOAaUKCqSJb/hKPspe+7r9cYmwIDAQABo1MwUTAdBgNVHQ4EFgQUsh7G + ZzAm0SAvjGMv1DCa9jN07AowHwYDVR0jBBgwFoAUsh7GZzAm0SAvjGMv1DCa9jN0 + 7AowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAWSzxB0qNGD1 + DzJdH5l6NPRwpY8fIvDy8kE7t7+tefa7psJucwObRdjoD7B15O45Sm0+J17hxa7Z + N7sYf8Oo+xotv1xpOMq3GxTXcQZBjYNNMHAfOiNayGJVPmzgsv7K4+RwpkQ67f9H + rXdYsSD8t9BVqhuOjR6zKtU0KVez+7HHIqdFdGJ0xPEzoeGbxFuXyPScn8XKWOtC + bEfNo6e2w34TDSWdTM4fZPLbtcqjwMBiDKxu1dshV8w/qboINfFeTsMd1+qY4seX + xL9fTh68EbjJu0c0MFY3F+yjpmsVXcumZpMa+GN1bc3+OndGnvecsgJlPNMF7vbz + WWUBc/oIBg== + -----END CERTIFICATE----- revocable: false refresh: format: opaque @@ -93,6 +120,23 @@ login: KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0= -----END CERTIFICATE----- + oauth: + providers: + microsoft: + type: oidc1.0 + discoveryUrl: https://login.microsoftonline.com/7f51701b-99a6-4152-a2aa-fbf92ff05d36/v2.0/.well-known/openid-configuration + issuer: https://login.microsoftonline.com/7f51701b-99a6-4152-a2aa-fbf92ff05d36/v2.0 + scopes: + - openid + - email + - profile + attributeMappings: + user_name: email + email_verified: verified_primary_email + linkText: Login with Microsoft + showLinkText: true + relyingPartyId: 795097d6-6b10-4025-958f-9b59ad09c037 + jwtclientAuthentication: true ratelimit: loggingOption: AllCalls